CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,808 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 65 of 77
- CVE-2025-7974HIGHCVSS 7.5EG 3.72025-09-02
rocket.chat Incorrect Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of rocket.chat. Authentication is not required to exploit this…
- CVE-2025-8068MEDIUMCVSS 4.3EG 4.32025-07-31
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to an improper capability check on the 'ajax_trash_templates' function in all versions up to, and including,…
- CVE-2025-8148MEDIUMCVSS 4.2EG 4.22025-12-05
An Improper Access Control in the SFTP service in Fortra's GoAnywhere MFT prior to version 7.9.0 allows Web Users with an Authentication Alias and a valid SSH key but limited to Password authentication for SFTP to still login using their S…
- CVE-2025-8434HIGHCVSS 7.3EG 7.32025-08-01
A vulnerability was found in code-projects Online Movie Streaming 1.0. It has been classified as critical. Affected is an unknown function of the file /admin.php. The manipulation of the argument ID leads to missing authorization. It is po…
- CVE-2025-8435HIGHCVSS 7.3EG 7.32025-08-01
A vulnerability was found in code-projects Online Movie Streaming 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin-control.php. The manipulation of the argument ID leads t…
- CVE-2025-8533MEDIUMCVSS 6.9EG 6.92025-08-07
A vulnerability was identified in the XPC services of Fantastical. The services failed to implement proper client authorization checks in its listener:shouldAcceptNewConnection method, unconditionally accepting requests from any local proc…
- CVE-2025-8796MEDIUMCVSS 5.4EG 5.42025-08-10
A vulnerability has been found in LitmusChaos Litmus up to 3.19.0 and classified as problematic. This vulnerability affects unknown code of the file /auth/delete_project/ of the component Delete Request Handler. The manipulation of the arg…
- CVE-2025-8807HIGHCVSS 8.8EG 6.32025-08-10
A vulnerability was found in xujeff tianti 天梯 up to 2.3. It has been declared as critical. This vulnerability affects unknown code of the file /tianti-module-admin/user/ajax/save. The manipulation leads to missing authorization. The at…
- CVE-2025-8886MEDIUMCVSS 6.7EG 6.72025-10-10
Incorrect Permission Assignment for Critical Resource, Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization, Incorrect Authorization vulnerability in Usta Information Systems Inc. Aybs Interaktif allows Privile…
- CVE-2025-9056MEDIUMCVSS 5.3EG 5.32025-12-10
Unprotected service in the AudioLink component allows a local attacker to overwrite system files via unauthorized service invocation.
- CVE-2025-9228MEDIUMCVSS 4.3EG 4.32025-08-20
MiR software versions prior to version 3.0.0 have insufficient authorization controls when creating text notes, allowing low-privilege users to create notes which are intended only for administrative users.
- CVE-2025-9376MEDIUMCVSS 6.5EG 6.52025-08-28
The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin for WordPress is vulnerable to unauthorized access of data due to an insufficient capability check on the 'stopbadbots_check_wordpress_logged_in_cook…
- CVE-2025-9602MEDIUMCVSS 6.5EG 6.32025-08-29
A vulnerability was found in Xinhu RockOA up to 2.6.9. Impacted is the function publicsaveAjax of the file /index.php. Performing manipulation results in improper authorization. The attack is possible to be carried out remotely. The exploi…
- CVE-2025-9803HIGHCVSS 8.8EG 9.32025-11-25
lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is …
- CVE-2025-9835MEDIUMCVSS 4.3EG 4.32025-09-02
A vulnerability has been found in macrozheng mall up to 1.0.3. This affects the function cancelOrder of the file /order/cancelUserOrder. The manipulation of the argument orderId leads to authorization bypass. The attack can be initiated re…
- CVE-2025-9955MEDIUMCVSS 5.7EG 5.72025-10-16
An improper access control vulnerability exists in WSO2 Enterprise Integrator product due to insufficient permission restrictions on internal SOAP admin services related to system logs and user-store configuration. A low-privileged user ca…
- CVE-2025-9957LOWCVSS 2.7EG 2.72026-04-22
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user with project owner permiss…
- CVE-2025-9973MEDIUMCVSS 6.4EG 6.42026-05-11
Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to co…
- CVE-2026-0272HIGHCVSS 7.2EG 7.22026-06-10
A privilege escalation vulnerability in Palo Alto Networks PAN-OS® software allows an authenticated administrator with access to the Command Line Interface (CLI) to perform actions on the device with root privileges. The security risk …
- CVE-2026-0562HIGHCVSS 8.3EG 8.32026-03-29
A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not…
- CVE-2026-0684MEDIUMCVSS 4.3EG 4.32026-01-13
The CP Image Store with Slideshow plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9 due to a logic error in the 'cpis_admin_init' function's permission check. This makes it possible for …
- CVE-2026-0831MEDIUMCVSS 5.3EG 5.32026-01-10
The Templately plugin for WordPress is vulnerable to Arbitrary File Write in all versions up to, and including, 3.4.8. This is due to inadequate input validation in the `save_template_to_file()` function where user-controlled parameters li…
- CVE-2026-0934LOWCVSS 3.8EG 3.82026-06-25
GitLab has remediated an issue in GitLab EE affecting all versions from 17.9 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with custom role permissions to …
- CVE-2026-0997MEDIUMCVSS 4.3EG 4.32026-02-16
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 and Mattermost Plugin Zoom versions <=1.11.0 fail to validate the authenticated user when processing {{/plugins/zoom/api/v1/channel-preference}}, which allows any l…
- CVE-2026-1007HIGHCVSS 7.6EG 7.62026-01-19
Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.This issue affects Server: from 2025.3.1 through 2025.3.12.
- CVE-2026-10106MEDIUMCVSS 6.5EG 6.52026-07-13
Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify that the channel referenced in an action cookie matches the channel of the target post, which allows an authenticated user without access to a priva…
- CVE-2026-10211MEDIUMCVSS 6.3EG 6.32026-06-01
A vulnerability was determined in AstrBotDevs AstrBot 4.23.6. Affected by this issue is the function _normalize_rw_path of the file astrbot/core/tools/computer_tools/fs.py. This manipulation causes incorrect authorization. It is possible t…
- CVE-2026-10616MEDIUMCVSS 4.3EG 4.32026-06-02
A weakness has been identified in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function TeamTasksTool.executeComplete of the file internal/tools/team_tasks_lifecycle.go of the component Team Task Completion Handler. Ex…
- CVE-2026-10741MEDIUMCVSS 5.9EG 5.92026-06-17
Sonatype Nexus Repository Manager before 3.93.0 contains an authorization vulnerability in the proxy repository configuration that allows a delegated repository administrator to disclose stored upstream proxy credentials.
- CVE-2026-10815MEDIUMCVSS 6.3EG 6.32026-06-04
A vulnerability was found in LakshayD02 Hostel-Management-System-PHP up to f87e67c283bab6f718faf2fec6ae39a13bd7036b. This issue affects some unknown processing of the file hostel/index.php of the component Admin Dashboard Page. The manipul…
- CVE-2026-10860MEDIUMCVSS 6.5EG 6.52026-06-04
A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationE…
- CVE-2026-11379MEDIUMCVSS 5.3EG 5.32026-06-25
GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 prior to 18.11.6, 19.0 prior to 19.0.3, and 19.1 prior to 19.1.1 in which incorrect authorization in DAST site profile management could allow a user with Develop…
- CVE-2026-12352MEDIUMCVSS 5.9EG 5.92026-07-07
This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device.
- CVE-2026-12446MEDIUMCVSS 4.3EG 4.32026-06-17
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
- CVE-2026-12797MEDIUMCVSS 6.3EG 6.32026-06-21
A security flaw has been discovered in BerriAI litellm up to 1.82.5. Affected is the function async_pre_call_hook of the file enterprise/enterprise_hooks/banned_keywords.py of the component Completions Interface. The manipulation of the ar…
- CVE-2026-13151MEDIUMCVSS 4.3EG 2.72026-07-08
GitLab has remediated an issue in GitLab EE affecting all versions from 16.10 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to modify group-level settings …
- CVE-2026-13232LOWCVSS 3.1EG 9.82026-07-10
Incorrect Authorization vulnerability in Drupal Advanced Content Feedback (aka admin_feedback) allows Forceful Browsing. This issue affects Advanced Content Feedback (aka admin_feedback) versions: from 0.0.0 to 2.8.0.
- CVE-2026-13237MEDIUMCVSS 4.8EG 9.12026-07-10
Incorrect Authorization vulnerability in Drupal AI Agents allows Forceful Browsing. This issue affects AI Agents versions: from 0.0.0 to 1.1.4, from 1.2.0 to 1.2.5, from 1.3.0 to 1.3.1.
- CVE-2026-13238MEDIUMCVSS 4.8EG 9.12026-07-10
Incorrect Authorization vulnerability in Drupal Commerce Realex / Global Payments allows Forceful Browsing. This issue affects Commerce Realex / Global Payments versions: from 0.0.0 to 3.0.2.
- CVE-2026-13484HIGHCVSS 8.8EG 5.02026-06-28
A vulnerability has been found in MLflow up to 4666cffc7912ea606d592fc38d6a75e2935f65e7. The impacted element is an unknown function of the component Experiment-scoped Label Schema CRUD API. Such manipulation leads to missing authorization…
- CVE-2026-13508MEDIUMCVSS 5.5EG 5.52026-06-28
A flaw has been found in khoj-ai khoj up to 2.0.0-beta.28. This impacts an unknown function of the file src/khoj/routers/api_chat.py of the component Conversation Sharing Handler. This manipulation of the argument conversation.agent causes…
- CVE-2026-1359HIGHCVSS 8.8EG 8.82026-07-11
The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the genolve_setOpt() function in all versions up to, and including, 5.0.5. This makes…
- CVE-2026-14340MEDIUMCVSS 5.0EG 5.02026-07-01
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a user-to-server token scoped to a GitHub App installation to perform certain write operations on public repositories outside the token's inte…
- CVE-2026-14536HIGHCVSS 8.8EG 8.82026-07-06
Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authe…
- CVE-2026-1471MEDIUMCVSS 6.5EG 6.52026-03-11
Excessive caching of authentication context in Neo4j Enterprise edition versions prior to 2026.01.4 leads to authenticated users inheriting the context of the first user who authenticated after restart. The issue is limited to certain non-…
- CVE-2026-14716MEDIUMCVSS 6.3EG 6.32026-07-05
A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.13.0-beta.2. Impacted is the function MethodRouter.Handle of the file internal/gateway/router.go of the component WebSocket RPC Handler. Such manipulation leads …
- CVE-2026-14896MEDIUMCVSS 4.2EG 4.22026-07-08
HashiCorp Nomad and Nomad Enterprise are vulnerable to a cross-namespace authorization bypass in the dynamic host volumes feature that may allow an operator holding the host volume delete permission in one namespace to delete a sticky volu…
- CVE-2026-1497HIGHCVSS 7.2EG 7.22026-03-11
Incorrect resolving of namespaces in composite databases in Neo4j Enterprise edition prior to versions 2026.02 and 5.26.22 can lead to the following scenario: an admin that intends to give a user an access to a remote database constituen…
- CVE-2026-15123HIGHCVSS 8.8EG 8.82026-07-08
Inappropriate implementation in DOM in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CVE-2026-15125HIGHCVSS 8.8EG 8.82026-07-08
Inappropriate implementation in Forms in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →